openajax.jpgMashups may be all the rage, but can expose the enterprise to all manner of security risks. Enter the OpenAjax Alliance (news, site) and its new standard for more secure mashing.

Fighting the War on Scam

As if there aren't enough threats out there, companies are being faced with ever more inventive ones, including the "malicious widget." A widget that a developer or user borrows as part of their own well-intended mashup which can expose company data, login details and other information to unwanted inspection.

As spammers and scammers get slowly pushed out of email and the browser, their next target is, logically, going to be where the mass of users are. With Google Maps, web documents, desktop gadgets and others attracting lots of interest, criminals will be paying close attention.

OpenAjax, launched back in February 2006, promotes the safe use of HTML and JavaScript widgets and has over a 100 companies (including IBM, Microsoft and Software AG) behind the initiative.

Securing the Mashup

It will only take one rogue feature in any single part of the mashup, be it a session snooper, data being fed to a third-party site or a keylogger and any company can run into trouble. The OpenAjax Alliance's approach to prevent this is called Hub 2.0 (alongside its metadata standard we covered last year.)

Hub 2.0 fences each of the parts of the mashup into its own sandbox, only allowing communication over an authorized and secure messaging engine to prevent data leaking outside of the mashup. On the Alliance site, one white paper explains the basic concept while another goes into a little more detail.

Hub 2.0 Features

Features of Hub 2.0 are based, in part, on work from IBM in secure mashups, which delved into the problem encountered when making something secure meant limiting scalability and vice versa.

Features include the managed hub that isolates the components of the mashup (a big step up from v1.0) , integration with OpenSocial technologies, fast acceptance for trusted widgets and a test suite.

The open source code also allows the architecture to be expanded by developers and to customize their mashups.

Is it time to ensure your mashups are secure? Check out the OpenAjax Alliance and Hub 2.0.